WASHINGTON -- One evening not long ago, a business traveler between flights was making use of his time in a Hong Kong airport lounge by plugging his USB drive into one of the lounge's computers and toiling away on a number of different files.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

We need security architectures that will help us think of how to address problems of the future ... but we also need security architectures to help us solve problems today. Tom Scholtz,vice presidentGartner Inc.

But when it was time for the traveler to rush to his gate, he left the USB drive and its sensitive files behind, unknowingly exposing his organization's sensitive data to any opportunistic passerby.

Fortunately, the device was recovered by Gartner Inc. vice president Tom Scholtz, who recounted the story this week at the Stamford, Conn.-based research firm's IT Security Summit. Scholtz made the point that businesses must design, develop and implement security architectures that can mitigate the inherent risks that come with workers taking data with them on the road or using it in new ways.

"We need security architectures that will help us think of how to address problems of the future," Scholtz said, "but we also need security architectures to help us solve problems today."

While security architectures can be defined in a number of ways, Scholtz essentially described them as the policies, processes, components and systems that encompass an enterprise security program. Security architectures ideally provide more insight into how data and devices are secured and more choices in how they can be used.

Scholtz said the ideal security architecture development paradigm consists of three major levels: conceptual, where policies and processes come together; logical, where interactive technological components take shape; and implementation, where systems are built and integration happens.

This method enables an architecture to grow as a result of an organization's true needs; "So you can do high-level planning and separate that from the [various] technology religions," Scholtz said.

Security architectures:

Security Blueprint: A formalized security architecture diagrams how you should handle the changing threat and regulatory environments.

The Architectural Model: This security architecture clickable diagram depicts the elements of organizational security architecture and how they interact with each other.

Using role management in provisioning and compliance: Role management provides the necessary framework for enterprises to efficiently govern access to sensitive data based on workers' jobs. However, many organizations fail to rescind unnecessary access privileges when employees change roles.

Getting a security architecture aligned with an enterprise's overall architecture is hard because it's difficult to find the resources to look beyond individual projects and focus on the big picture, said Thornton Dyson, a Houston-based enterprise architect with a government agency. But the advantages of building security into the development lifecycle make the effort worthwhile, he said.

"Security is often tagged on at the end of the [application] development process," Dyson said. "And [during] the readiness review, the security team gets hit with a black eye because it seems like security is holding things up."

Advancing a security architecture agenda would help that problem, Dyson said, but getting non-security IT pros to buy into the concept takes work.

"It's a challenge. You stand up and talk about it whenever you can," Dyson said. "You make elevator speeches or talk about it at parties. But there's some indication that they're beginning to pay attention."

Separately, Scholtz strongly urged security professionals to consider their budding architectures from three unique viewpoints: organizational, business and technology. The U.K.-based analyst said this ensures that it is compatible with the goals of the organization, the priorities of business managers and with other relevant technologies.

Scholtz's other security architecture best practices included avoiding a fixation with any particular organizational structure or format, ensuring that a choice of technologies is a constant option, and above all remembering that an architecture should never remain static.

"We're talking about a collection of models that we should use as tools to develop the best solution on a case-by-case basis," Scholtz said.

As for that abandoned USB drive, Scholtz said he turned it over to airport authorities, but likes to tell the story to illustrate one of the many common security problems that a mature architecture can help mitigate.

"It's not about the data stick," he said, "but who receives the data."

E-Zine

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy